Director at ZDI
Brian Gorenc is the director of Vulnerability Research with Trend Micro. In this role, Gorenc leads the Zero Day Initiative (ZDI) program, which represents the world’s largest vendor-agnostic bug bounty program. His focus includes analyzing and performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. The ZDI works to expose and remediate weaknesses in the world’s most popular software. Brian is also responsible for organizing and adjudicating the ever-popular Pwn2Own hacking competitions. Gorenc has been with ZDI since 2012, continually working on discovering new vulnerabilities, analyzing attack techniques, and identifying vulnerability trends. His work has led to the discovery and remediation of numerous critical vulnerabilities in Microsoft, Adobe, Oracle, open-source, SCADA systems, and embedded devices. He has presented at numerous security conferences such as Black Hat, DEF CON, Breakpoint, Ruxcon, PacSec, REcon and RSA. More recently, Brian led the team that was awarded the Microsoft Mitigation Bypass Bounty and Blue Hat Bonus for Defense bounty, which resulted in $125,000 being donated to STEM programs. During his leadership, the Zero Day Initiative program coordinated the disclosure of over 3000 zero-day vulnerabilities.
From Bounties to Bureaucracy – The Hidden Market Factors of Exploit Economics
Bug bounty programs are nearly ubiquitous today, but that wasn’t always the case. When the Zero Day Initiative (ZDI) was founded in 2005, bug bounty programs were considered to be a rare and somewhat controversial commodity. Now they are seen as an indispensable means for companies to acquire bug reports. Our initial goals were similar. The ZDI program extended our own research team by leveraging the methodologies, expertise, and time of others around the globe. Imagine adding more than 3,000 independent researchers from around the world to your team. Having the program asymmetrically enhanced our research capabilities through vulnerability acquisition. The program also provided the data needed to protect our customers while the affected vendor worked on a patch. Since that time, the program has awarded more than $15 million USD while ensuring nearly 4,000 0-day exploits were patched by vendors, all of which makes the computing landscape a safer space and makes ZDI the world’s largest vendor-agnostic bug bounty program.
Even if you don’t participate in a bounty program, they impact you and the systems you defend. Over the last decade, mature bug bounty programs have evolved from simply acquiring bug reports to providing real insights into vulnerability and exploit trends. Bug submissions to the available bounty programs had the unintended consequence of effectively crowd-sourcing vulnerability intelligence by showing industry trends and state-of-the-art exploitation methodologies. Bounty programs impact the exploit marketplace while disrupting exploit efforts of advanced threats and persistent actors. These programs have tracked the rise and fall of bug classes over the years, and they’ve tracked the rise and impact of government regulations in different regions of the globe. As shown in recently leaked government documents, bug reports that come through bounty programs disrupt various pieces of the exploit market and force bad actors to change their exploit techniques. When combined with top-tier, in-house researchers, the best programs are capable of predicting the next major attack surface that will become popular based on what bugs are submitted to the program.
Join ZDI Director Brian Gorenc as he covers the current landscape of bounty programs and the winding, often controversial road that led us here. We also cover the vulnerability economy and the role bug bounties play in shaping the exploit marketplace. Finally, he’ll show how effectively run programs have disrupted exploit usage in the wild.